繼 記一次傳遞檔案句柄引發的血案 之后,這個 demo 又引發了一次血案,現錄如下,
這次我是在 linux 上測驗檔案句柄的傳遞,linux 上并沒有 STREAMS 系統,
因此是采用 unix domain socket 的 sendmsg/recvmsg 中控制訊息部分來傳遞句柄的,
代碼的主要修改部分集中于發送 fd 與接收 fd 處,一開始代碼是這樣的,運行良好,
spipe_fd.c
1 #define MAXLINE 128 2 #define RIGHTSLEN CMSG_LEN(sizeof(int)) 3 #define CREDSLEN CMSG_LEN(sizeof(struct CREDSTRUCT)) 4 #define CONTROLLEN (RIGHTSLEN+CREDSLEN) 5 6 int send_fd (int fd, int fd_to_send) 7 { 8 struct iovec iov[1]; 9 struct msghdr msg; 10 struct cmsghdr *cmptr = NULL; 11 char buf[2]; 12 13 iov[0].iov_base = buf; 14 iov[0].iov_len = 2; 15 16 msg.msg_iov = iov; 17 msg.msg_iovlen = 1; 18 msg.msg_name = NULL; 19 msg.msg_namelen = 0; 20 msg.msg_flags = 0; 21 22 if (fd_to_send < 0) { 23 msg.msg_control = NULL; 24 msg.msg_controllen = 0; 25 buf[1] = -fd_to_send; 26 if (buf[1] == 0) 27 buf[1] = 1; 28 } else { 29 if ((cmptr = malloc(CONTROLLEN)) == NULL) { 30 fprintf (stderr, "malloc memory failed\n"); 31 return -1; 32 } 33 34 msg.msg_control = cmptr; 35 msg.msg_controllen = CONTROLLEN; 36 37 cmptr->cmsg_level = SOL_SOCKET; 38 cmptr->cmsg_type = SCM_RIGHTS; 39 cmptr->cmsg_len = CONTROLLEN; 40 41 *(int *) CMSG_DATA(cmptr) = fd_to_send; 42 buf[1] = 0; 43 } 44 45 buf[0] = 0; 46 if (sendmsg(fd, &msg, 0) != 2) { 47 free (cmptr); 48 return -1; 49 } 50 51 free (cmptr); 52 return 0; 53 }
以上是發送句柄部分,重點位于 37-39 行,設定了控制訊息的型別與句柄的值,
sendmsg 中的資料訊息部分,用來兼容出錯的場景(出錯時可以提供一個-1~-255的錯誤碼,及一段描述資訊),關鍵資訊位于控制部分,
下面來看訊息的接收:
1 int recv_fd (int fd, uid_t *uidptr, ssize_t (*userfunc) (int, const void*, size_t)) 2 { 3 struct cmsghdr *cmptr = NULL; 4 int newfd, nr, status; 5 char *ptr; 6 char buf[MAXLINE]; 7 struct iovec iov[1]; 8 struct msghdr msg; 9 10 status = -1; 11 newfd = -1; 12 13 for (;;) { 14 iov[0].iov_base = buf; 15 iov[0].iov_len = sizeof (buf); 16 17 msg.msg_iov = iov; 18 msg.msg_iovlen = 1; 19 msg.msg_name = NULL; 20 msg.msg_namelen = 0; 21 22 if ((cmptr = malloc (CONTROLLEN)) == NULL) { 23 fprintf (stderr, "malloc error\n"); 24 return -1; 25 } 26 27 msg.msg_control = cmptr; 28 msg.msg_controllen = CONTROLLEN; 29 30 if ((nr = recvmsg (fd, &msg, 0)) < 0) { 31 fprintf (stderr, "recvmsg error\n"); 32 free (cmptr); 33 return -1; 34 } else if (nr == 0) { 35 fprintf (stderr, "connection closed by server\n"); 36 free (cmptr); 37 return -1; 38 } 39 40 for (ptr = buf; ptr < &buf[nr]; ) { 41 if (*ptr ++ == 0) { 42 if (ptr != &buf[nr-1]) { 43 fprintf (stderr, "message format error"); 44 free (cmptr); 45 return -1; 46 } 47 48 status = *ptr & 0xff; 49 if (status == 0) { 50 if (msg.msg_controllen != CONTROLLEN) { 51 fprintf (stderr, "status = 0 but no fd\n"); 52 free (cmptr); 53 return -1; 54 } 55 56 newfd = *(int *) CMSG_DATA(cmptr); 57 } else { 58 newfd = -status; 59 } 60 61 nr -= 2; 62 } 63 } 64 65 free(cmptr); 66 if (nr > 0 && (*userfunc)(STDERR_FILENO, buf, nr) != nr) 67 return -1; 68 69 if (status >= 0) 70 return newfd; 71 } 72 73 return -1; 74 }
接收部分的重點位于 56 行,這里取得了對方傳遞過來的檔案句柄(注意不是簡單的值傳遞!參考上篇文章)
其它一些代碼則用來處理出錯資訊,當出現錯誤時,呼叫 userfunc 列印錯誤資訊 (用戶一般傳遞 write) ,
另外介面中 uidptr 引數并沒有用,這個是為將來擴展預留的,
使用之前的 demo (spipe_server.c / spipe_client.c)編譯、運行,輸出結果如下:
./spipe_server ./spipe_client create pipe 3.4 3 7 create temp file /tmp/outliqA3i with fd 4 seek to head send fd 4 to peer recv fd 3, position 0 create temp file /tmp/inaLr30i with fd 4 source: 3 7 seek to head send fd 4 recv fd 5 from peer, position 0 10
可以看到通過新的方式傳遞的檔案句柄值也發生了變化(從 4 變為 3),且也需要對檔案偏移進行重置,否則還會掉到之前文章說的那個坑里,
問題出現在增加一些代碼來傳遞發送行程憑證(如uid)時,此時發送方需要傳遞兩個控制子訊息(分別表示句柄與憑證),接收方也需要處理兩個子訊息,
新的發送代碼如下:
1 #define MAXLINE 128 2 #if defined(SCM_CREDS) // on BSD 3 #define CREDSTRUCT cmsgcred 4 #define CR_UID cmcred_uid 5 #define CREDOPT LOCAL_PEERCRED 6 #define SCM_CREDTYPE SCM_CREDS 7 #elif defined(SCM_CREDENTIALS) // on linux 8 #define CREDSTRUCT ucred 9 #define CR_UID uid 10 #define CREDOPT SO_PASSCRED 11 #define SCM_CREDTYPE SCM_CREDENTIALS 12 #else 13 #error passing credentials is unsupported! 14 #endif 15 16 #define RIGHTSLEN CMSG_LEN(sizeof(int)) 17 #define CREDSLEN CMSG_LEN(sizeof(struct CREDSTRUCT)) 18 #define CONTROLLEN (RIGHTSLEN+CREDSLEN) 19 20 21 int send_fd (int fd, int fd_to_send) 22 { 23 struct iovec iov[1]; 24 struct msghdr msg; 25 struct cmsghdr *cmptr = NULL; 26 char buf[2]; 27 struct CREDSTRUCT *credp; 28 struct cmsghdr *cmp; 29 30 iov[0].iov_base = buf; 31 iov[0].iov_len = 2; 32 33 msg.msg_iov = iov; 34 msg.msg_iovlen = 1; 35 msg.msg_name = NULL; 36 msg.msg_namelen = 0; 37 msg.msg_flags = 0; 38 39 if (fd_to_send < 0) { 40 msg.msg_control = NULL; 41 msg.msg_controllen = 0; 42 buf[1] = -fd_to_send; 43 if (buf[1] == 0) 44 buf[1] = 1; 45 } else { 46 if ((cmptr = malloc(CONTROLLEN)) == NULL) { 47 fprintf (stderr, "malloc memory failed\n"); 48 return -1; 49 } 50 51 msg.msg_control = cmptr; 52 msg.msg_controllen = CONTROLLEN; 53 54 cmp = cmptr; 55 cmp->cmsg_level = SOL_SOCKET; 56 cmp->cmsg_type = SCM_RIGHTS; 57 cmp->cmsg_len = RIGHTSLEN; 58 *(int *) CMSG_DATA(cmp) = fd_to_send; 59 60 cmp = CMSG_NXTHDR(&msg, cmp); 61 cmp->cmsg_level = SOL_SOCKET; 62 cmp->cmsg_type = SCM_CREDTYPE; 63 cmp->cmsg_len = CREDSLEN; 64 credp = (struct CREDSTRUCT *) CMSG_DATA(cmp); 65 66 # if defined(SCM_CREDENTIALS) 67 // only linux need to set members of this struct ! 68 credp->uid = getuid (); 69 credp->gid = getegid (); 70 credp->pid = getpid (); 71 # endif 72 buf[1] = 0; 73 } 74 75 buf[0] = 0; 76 if (sendmsg(fd, &msg, 0) != 2) { 77 free (cmptr); 78 return -1; 79 } 80 81 free (cmptr); 82 return 0; 83 }
最開始的一些宏定義,是用來區分 linux 與 bsd 上一些細節,重點在 55-64 行,這兩段代碼分別設定了句柄與憑證,
然后控制訊息的大小 CONTROLLEN 由兩部分訊息的長度(RIGHTSLEN 與 CREDSLEN)累加得到,分配的記憶體也是這么大,
再來看接收部分:
1 int recv_fd (int fd, uid_t *uidptr, ssize_t (*userfunc) (int, const void*, size_t)) 2 { 3 struct cmsghdr *cmptr = NULL; 4 5 int newfd, nr, status; 6 char *ptr; 7 char buf[MAXLINE]; 8 struct iovec iov[1]; 9 struct msghdr msg; 10 11 status = -1; 12 newfd = -1; 13 14 const int on = -1; 15 struct cmsghdr *cmp; 16 struct CREDSTRUCT *credp; 17 if (setsockopt (fd, SOL_SOCKET, CREDOPT, &on, sizeof(int)) < 0) { 18 fprintf (stderr, "setsockopt for %d failed\n", CREDOPT); 19 return -1; 20 } 21 22 for (;;) { 23 iov[0].iov_base = buf; 24 iov[0].iov_len = sizeof (buf); 25 26 msg.msg_iov = iov; 27 msg.msg_iovlen = 1; 28 msg.msg_name = NULL; 29 msg.msg_namelen = 0; 30 31 if ((cmptr = malloc (CONTROLLEN)) == NULL) { 32 fprintf (stderr, "malloc error\n"); 33 return -1; 34 } 35 36 msg.msg_control = cmptr; 37 msg.msg_controllen = CONTROLLEN; 38 39 if ((nr = recvmsg (fd, &msg, 0)) < 0) { 40 fprintf (stderr, "recvmsg error\n"); 41 free (cmptr); 42 return -1; 43 } else if (nr == 0) { 44 fprintf (stderr, "connection closed by server\n"); 45 free (cmptr); 46 return -1; 47 } 48 49 for (ptr = buf; ptr < &buf[nr]; ) { 50 if (*ptr ++ == 0) { 51 if (ptr != &buf[nr-1]) { 52 fprintf (stderr, "message format error"); 53 free (cmptr); 54 return -1; 55 } 56 57 status = *ptr & 0xff; 58 if (status == 0) { 59 if (msg.msg_controllen != CONTROLLEN) { 60 fprintf (stderr, "status = 0 but no fd\n"); 61 free (cmptr); 62 return -1; 63 } 64 65 for (cmp = CMSG_FIRSTHDR(&msg); cmp != NULL; cmp = CMSG_NXTHDR(&msg, cmp)) { 66 if (cmp->cmsg_level != SOL_SOCKET) { 67 fprintf (stderr, "ignore unknown socket level %d\n", cmp->cmsg_level); 68 continue; 69 } 70 71 switch (cmp->cmsg_type) { 72 case SCM_RIGHTS: 73 newfd = *(int *) CMSG_DATA(cmp); 74 break; 75 case SCM_CREDTYPE: 76 credp = (struct CREDSTRUCT *) CMSG_DATA(cmp); 77 *uidptr = credp->CR_UID; 78 break; 79 default: 80 fprintf (stderr, "ignore unknown msg type %d\n", cmp->cmsg_type); 81 break; 82 } 83 } 84 } else { 85 newfd = -status; 86 } 87 88 nr -= 2; 89 } 90 } 91 92 free(cmptr); 93 if (nr > 0 && (*userfunc)(STDERR_FILENO, buf, nr) != nr) 94 return -1; 95 96 if (status >= 0) 97 return newfd; 98 } 99 100 return -1; 101 }
重點分為兩個部分:
14-20 行,設定 unix domain socket 可以接收憑證資訊;
65-83 行,分別讀取控制訊息中的句柄與憑證資訊,這里我們取了發送行程的 uid 資訊作為憑證回傳給上層呼叫者;
與發送訊息類似,這里使用系統提供的 CMSG_FIRSTHDR、CMSG_NXTHDR 在控制訊息中遍歷各個子部分,
重新編譯、運行 demo,卻發現出錯了:
./spipe_server ./spipe_client create pipe 3.4 3 7 create temp file /tmp/outgQY1Y4 with fd 4 seek to head send fd 4 to peer recv fd 3, uid 500, position 0 create temp file /tmp/invVgKW4 with fd 4 source: 3 7 seek to head connection closed by server recv fd from peer failed, error -1
從輸出日志看,第一次從 server 發往 client 的句柄及憑證是可以的(line 7),再之后 client 處理完訊息回傳時,就出錯了,
首先定位出錯代碼位置,在 client 回傳這里 (send_fd),加入一些日志:
1 if ((cmptr = malloc(CONTROLLEN)) == NULL) { 2 fprintf (stderr, "malloc memory failed\n"); 3 return -1; 4 } 5 6 msg.msg_control = cmptr; 7 msg.msg_controllen = CONTROLLEN; 8 9 cmp = cmptr; 10 cmp->cmsg_level = SOL_SOCKET; 11 cmp->cmsg_type = SCM_RIGHTS; 12 cmp->cmsg_len = RIGHTSLEN; 13 *(int *) CMSG_DATA(cmp) = fd_to_send; 14 fprintf (stderr, "add fd with len %d\n", RIGHTSLEN); 15 16 cmp = CMSG_NXTHDR(&msg, cmp); 17 cmp->cmsg_level = SOL_SOCKET; 18 cmp->cmsg_type = SCM_CREDTYPE; 19 cmp->cmsg_len = CREDSLEN; 20 credp = (struct CREDSTRUCT *) CMSG_DATA(cmp); 21 fprintf (stderr, "add credential with len %d\n", CREDSLEN); 22 23 # if defined(SCM_CREDENTIALS) 24 // only linux need to set members of this struct ! 25 credp->uid = getuid (); 26 credp->gid = getegid (); 27 credp->pid = getpid (); 28 fprintf (stderr, "set uid %d, gid %d, pid %d\n", credp->uid, credp->gid, credp->pid); 29 # endif 30 buf[1] = 0;
標黃的是新加入的輸出日志,再次編譯運行:
./spipe_server ./spipe_client create pipe 3.4 3 7 create temp file /tmp/outivt2Og with fd 4 seek to head add fd with len 16 add credential with len 24 set uid 500, gid 500, pid 12071 send fd 4 to peer recv fd 3, uid 500, position 0 create temp file /tmp/inHqRwMg with fd 4 source: 3 7 seek to head add fd with len 16 connection closed by server recv fd from peer failed, error -1
可以看到,第一次傳遞時,這三條日志全都正確輸出了,而回傳時,只輸出了第一條日志,
所以明顯是在第一條日志與第二條日志之間的代碼出了問題,左看右看,看不出這塊有什么問題,難道系統提供的 CMSG_NXTHDR 會出錯?
這邊再加兩條日志:
1 if ((cmptr = malloc(CONTROLLEN)) == NULL) { 2 fprintf (stderr, "malloc memory failed\n"); 3 return -1; 4 } 5 6 msg.msg_control = cmptr; 7 msg.msg_controllen = CONTROLLEN; 8 9 cmp = cmptr; 10 cmp->cmsg_level = SOL_SOCKET; 11 cmp->cmsg_type = SCM_RIGHTS; 12 cmp->cmsg_len = RIGHTSLEN; 13 *(int *) CMSG_DATA(cmp) = fd_to_send; 14 fprintf (stderr, "add fd with len %d\n", RIGHTSLEN); 15 fprintf (stderr, "cmsghdr = %d, cmsglen = %d, after align = %d, control len = %d\n", sizeof(struct cmsghdr), CREDSLEN, CMSG_ALIGN(CREDSLEN), CONTROLLEN); 16 17 cmp = CMSG_NXTHDR(&msg, cmp); 18 fprintf (stderr, "cmp = %p\n", cmp); 19 cmp->cmsg_level = SOL_SOCKET; 20 cmp->cmsg_type = SCM_CREDTYPE; 21 cmp->cmsg_len = CREDSLEN; 22 credp = (struct CREDSTRUCT *) CMSG_DATA(cmp); 23 fprintf (stderr, "add credential with len %d\n", CREDSLEN); 24 25 # if defined(SCM_CREDENTIALS) 26 // only linux need to set members of this struct ! 27 credp->uid = getuid (); 28 credp->gid = getegid (); 29 credp->pid = getpid (); 30 fprintf (stderr, "set uid %d, gid %d, pid %d\n", credp->uid, credp->gid, credp->pid); 31 # endif 32 buf[1] = 0;
第二條日志是主要懷疑的地方,看指標是否為空;第一條日志則是懷疑塊大小計算有誤,導致分配的記憶體不夠大,指標遞增時出現了范圍錯誤,所以這里列印各種長度做驗證,
再次運行后,又多了一些輸出:
./spipe_server ./spipe_client create pipe 3.4 3 7 create temp file /tmp/out7UgSYZ with fd 4 seek to head add fd with len 16 cmsghdr = 12, cmsglen = 24, after align = 24, control len = 40 cmp = 0x9ded018 add credential with len 24 set uid 500, gid 500, pid 12100 send fd 4 to peer recv fd 3, uid 500, position 0 create temp file /tmp/inC3nyWZ with fd 4 source: 3 7 seek to head add fd with len 16 cmsghdr = 12, cmsglen = 24, after align = 24, control len = 40 cmp = (nil) connection closed by server recv fd from peer failed, error -1
神奇的地方出現了,同樣的代碼,相同的尺寸,第一次指標正常;第二次就為空了!
崩潰點找到了,但是還是一頭霧水,看起來資料塊都對齊了,計算也沒毛病,難道是這個系統提供的宏 (CMSG_NXTHDR) 出問題了嗎?
翻看頭檔案,找到這一段的定義 (我所在的系統,位于 /usr/include/bits/socket.h (L311)):
1 __EXTERN_INLINE struct cmsghdr * 2 __NTH (__cmsg_nxthdr (struct msghdr *__mhdr, struct cmsghdr *__cmsg)) 3 { 4 if ((size_t) __cmsg->cmsg_len < sizeof (struct cmsghdr)) 5 /* The kernel header does this so there may be a reason. */ 6 return 0; 7 8 __cmsg = (struct cmsghdr *) ((unsigned char *) __cmsg 9 + CMSG_ALIGN (__cmsg->cmsg_len)); 10 if ((unsigned char *) (__cmsg + 1) > ((unsigned char *) __mhdr->msg_control 11 + __mhdr->msg_controllen) 12 || ((unsigned char *) __cmsg + CMSG_ALIGN (__cmsg->cmsg_len) 13 > ((unsigned char *) __mhdr->msg_control + __mhdr->msg_controllen))) 14 /* No more entries. */ 15 return 0; 16 return __cmsg; 17 }
這段 INLINE 函式主要包含三個判斷,
1)子訊息長度小于訊息頭長度,回傳 null;
2)下一個子訊息的訊息頭超出訊息尾部,回傳null;
3)下一個子訊息的訊息體超出訊息尾部,回傳null;
直接修改系統代碼不方便,將這個函式拷貝到本地并重全名為 my_cmsg_nxthdr,在各個判斷下面添加日志輸出:
1 struct cmsghdr *my_cmsg_nxthdr (struct msghdr *__mhdr, struct cmsghdr *__cmsg) 2 { 3 if ((size_t) __cmsg->cmsg_len < sizeof (struct cmsghdr)) { 4 /* The kernel header does this so there may be a reason. */ 5 fprintf (stderr, "in step1\n"); 6 return 0; 7 } 8 9 fprintf (stderr, "%p: cmsg_len %u, cmsg_level %d, cmsg_type %d\n", __cmsg, __cmsg->cmsg_len, __cmsg->cmsg_level, __cmsg->cmsg_type); 10 __cmsg = (struct cmsghdr *) ((unsigned char *) __cmsg + CMSG_ALIGN (__cmsg->cmsg_len)); 11 if ((unsigned char *) (__cmsg + 1) > ((unsigned char *) __mhdr->msg_control + __mhdr->msg_controllen)) { 12 fprintf (stderr, "in step2\n"); 13 return 0; 14 } 15 16 fprintf (stderr, "%p: cmsg_len %u, cmsg_level %d, cmsg_type %d\n", __cmsg, __cmsg->cmsg_len, __cmsg->cmsg_level, __cmsg->cmsg_type); 17 if (((unsigned char *) __cmsg + CMSG_ALIGN (__cmsg->cmsg_len) > ((unsigned char *) __mhdr->msg_control + __mhdr->msg_controllen))) { 18 /* No more entries. */ 19 fprintf (stderr, "in step3\n"); 20 fprintf (stderr, "msg len %d, after align %d, msg control %d\n", __cmsg->cmsg_len, CMSG_ALIGN(__cmsg->cmsg_len), __mhdr->msg_controllen); 21 return 0; 22 } 23 24 fprintf (stderr, "in final step\n"); 25 return __cmsg; 26 }
為了便于根據不同的判斷條件輸出日志,這里對判斷條件進行了拆分,
再次運行 demo,輸出如下:
./spipe_server ./spipe_client create pipe 3.4 3 7 create temp file /tmp/outh7NhIs with fd 4 seek to head add fd with len 16 cmsghdr = 12, cmsglen = 24, after align = 24, control len = 40 0x9336008: cmsg_len 16, cmsg_level 1, cmsg_type 1 0x9336018: cmsg_len 0, cmsg_level 0, cmsg_type 0 in final step cmp = 0x9336018 add credential with len 24 set uid 500, gid 500, pid 12171 send fd 4 to peer recv fd 3, uid 500, position 0 create temp file /tmp/inoJMmKs with fd 4 source: 3 7 seek to head add fd with len 16 cmsghdr = 12, cmsglen = 24, after align = 24, control len = 40 0x904d008: cmsg_len 16, cmsg_level 1, cmsg_type 1 0x904d018: cmsg_len 500, cmsg_level 500, cmsg_type 16 in step3 msg len 500, after align 500, msg control 40 cmp = (nil) connection closed by server recv fd from peer failed, error -1
原來是第三個判斷出現了問題(Line 24)!
訊息總長度是 16 + 24 = 40,而這里的第二個子訊息單個的長度達到 500,明顯越界了,
但是第二個子訊息的長度明明是 24 呀,哪里跑出來的 500 呢?
而且它的其它欄位也明顯不對,例如訊息 level 也是 500,訊息型別是 16 !
初步可以確定是這塊記憶體被弄亂了,而從前面列印的訊息指標(0x904d008 與 0x904d018)看,分配的大小是沒問題的,因此記憶體越界問題先排除掉;
其次是我們設定好的內容……等等……我們好像還沒有設定第二個子訊息的內容!!
……
垃圾資料!!
……
malloc 之后沒有清空的垃圾資料!!
……
這也是第一次呼叫沒問題而第二次掉坑里的原因,隨著系統記憶體的分配回收而存在一定的隨機性!
找到原因之后,修改就簡單了,可以將 malloc 替換為 calloc,或者簡單的加一句 memset 來清空記憶體:
1 if ((cmptr = malloc(CONTROLLEN)) == NULL) { 2 fprintf (stderr, "malloc memory failed\n"); 3 return -1; 4 } 5 6 // important on linux, garbage data may mess cmsg_len fields, 7 // and cause CMSG_NXTHDR return null on protection. 8 memset (cmptr, 0, CONTROLLEN); 9 msg.msg_control = cmptr; 10 msg.msg_controllen = CONTROLLEN;
再次運行 demo,一切正常:
./spipe_server ./spipe_client create pipe 3.4 3 7 create temp file /tmp/outqsTYkp with fd 4 seek to head add fd with len 16 cmsghdr = 12, cmsglen = 24, after align = 24, control len = 40 0x814c008: cmsg_len 16, cmsg_level 1, cmsg_type 1 0x814c018: cmsg_len 0, cmsg_level 0, cmsg_type 0 in final step cmp = 0x814c018 add credential with len 24 set uid 500, gid 500, pid 12207 send fd 4 to peer recv fd 3, uid 500, position 0 create temp file /tmp/in3ntkip with fd 4 source: 3 7 seek to head add fd with len 16 cmsghdr = 12, cmsglen = 24, after align = 24, control len = 40 0x8389008: cmsg_len 16, cmsg_level 1, cmsg_type 1 0x8389018: cmsg_len 0, cmsg_level 0, cmsg_type 0 in final step cmp = 0x8389018 add credential with len 24 set uid 500, gid 500, pid 12208 send fd 4 recv fd 5, uid 500 from peer, position 0 10
通過這次 debug,找到了經典的 APUE 例子中的一個瑕疵 (隨機性比較大,大師剛好沒有遇到而已,可能你的機器也不復現),
不過回過頭來看這個場景,也不能全算在 coder 身上,我感覺系統提供的這個 CMSG_NXTHDR 宏也頗成問題:
如果我呼叫這個之前還沒有設定下一個子訊息,難道還不準我使用了么? 過多的檢查反而弄巧成拙,總之一句話:差評! 哈哈~
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/143886.html
標籤:Linux